U.S. patent application number 12/459717 was filed with the patent office on 2011-01-13 for efficient key management system and method.
Invention is credited to Vijay Gurbani, Vladimir Kolesnikov.
Application Number | 20110010549 12/459717 |
Document ID | / |
Family ID | 43428357 |
Filed Date | 2011-01-13 |
United States Patent
Application |
20110010549 |
Kind Code |
A1 |
Kolesnikov; Vladimir ; et
al. |
January 13, 2011 |
Efficient key management system and method
Abstract
A system for providing cost effective, secure key exchange from
at least one first device to at least one second device through at
least one proxy server is provided. The system includes a first key
exchange message from the at least one first device to the at least
one second device via the at least one proxy server. A second key
exchange message from the at least one second device to the at
least one first device via a media stream of the Internet is
required to complete the computation of the session key. A method
of securing a communication system is also set forth. The method
includes the steps of providing a routing device for identifying a
subscriber, and providing a master key exchange session, the master
key exchange session including a key k to find a subscriber and a
nonce r to answer a query to the subscriber, wherein the master key
exchange session includes both the key k and the nonce r.
Inventors: |
Kolesnikov; Vladimir;
(Jersey City, NJ) ; Gurbani; Vijay; (Lisle,
IL) |
Correspondence
Address: |
Carmen Patti Law Group, LLC
One N. LaSalle Street, 44th Floor
Chicago
IL
60602
US
|
Family ID: |
43428357 |
Appl. No.: |
12/459717 |
Filed: |
July 7, 2009 |
Current U.S.
Class: |
713/171 |
Current CPC
Class: |
H04L 9/083 20130101;
H04L 65/1006 20130101; H04L 63/18 20130101; H04L 65/105 20130101;
H04L 2209/76 20130101; H04L 63/061 20130101 |
Class at
Publication: |
713/171 |
International
Class: |
H04L 9/00 20060101
H04L009/00 |
Claims
1. An efficient key exchange system in SIP comprising: a first
terminal adapted and constructed to send a signal; a second
terminal adapted and constructed to receive a signal; an alternate
terminal adapted and constructed to receive a signal and to send a
random nonce r to the first terminal; a first key exchange k
selectively transmitted from the first terminal via a signaling
layer to the second terminal; and upon receipt of the first key
exchange k by the second terminal, a random nonce r selectively
transmitted from the alternate terminal via a media layer to the
first terminal.
2. The efficient key exchange of claim 1 wherein a session key
derived from k and r is further defined by sk=F.sub.k(r), where F
is a pseudorandom function.
3. The efficient key exchange of claim 2 wherein F is an AES
function, and wherein the domains of k and r are defined by k, r
.epsilon. {0,1}.sup.128.
4. The efficient key exchange of claim 1, wherein r is transmitted
from the alternate terminal to the first terminal using
plaintext.
5. The efficient key exchange of claim 1, wherein the first
terminal and the second terminal exchange a long-term PSK, and
execute provably secure and efficient key exchange in subsequent
SIP sessions.
6. The efficient key exchange of claim 2, wherein the problem of
forking is eliminated from the key exchange by the addition of the
nonce r to the definition of a session key.
7. The efficient key exchange of claim 1, wherein key derivation is
complete when the first terminal receives the random nonce r.
8. The efficient key exchange of claim 1, wherein the second
terminal and the alternate terminal are the same device.
9. A system for providing cost effective, secure key exchange from
at least one first device to at least one second device through at
least one proxy server comprising: a first key exchange from the at
least one first device to the at least one second device via the at
least one proxy server; and a second key exchange from the at least
one second device to the at least one first device via a media
stream of the Internet.
10. A system as defined in claim 9, wherein k is the first key
exchange message, and wherein k is transmitted via an SIP signaling
stream to the at least one second Internet device.
11. A system as defined in claim 9, wherein nonce r is the second
key exchange message, and wherein r is transmitted via the media
stream to the at least one first Internet device.
12. A system as defined in claim 11, wherein k remains constant for
all forked branches in the SIP signaling stream, and wherein each
branch contributes a unique r, thus preventing key leakage to
parties not part of the session due to the forking problem.
13. A method for operating a system comprising the steps of:
providing a routing identifier for first and second Internet
devices; generating a random key; transmitting the random key from
the first Internet device to the second internet device via a proxy
server using the routing identifier for the second Internet device;
generating a second key using the second Internet device; and
transmitting the second key to the first Internet device from the
second Internet device using a media layer of the Internet.
14. The method of claim 13 wherein the system generates efficient
key exchange, and wherein the random key is further defined by a
key k the second key is further defined by a nonce r, wherein the
session key is further defined by sk=F.sub.k(r), where F is a
pseudorandom function.
15. The method of claim 14 wherein F is an AES function, and
wherein the domains of k and r are defined by k, r .epsilon.
{0,1}.sup.128.
16. The method of claim 15, wherein the nonce r is transmitted from
the second Internet device to the first Internet device using
plaintext.
17. A key exchange system in a communication network comprising: a
key session including a signaling layer key k for identifying and
notifying at least one participant of a query from a first
electronic device, and a media layer nonce r for transmitting data
to the first electronic device; and a second electronic device
adapted and constructed to generate the data for the media layer
nonce r.
18. A system as claimed in claim 17, wherein the key session
changes with each signaling layer key k transmitted from the first
electronic device to the second electronic device.
19. A system as claimed in claim 17, wherein the first electronic
device and the second electronic device exchange a long-tern
psk.
20. A system as claimed in claim 17, wherein a PSK is stored in the
first electronic device, and wherein the first electronic device
determines if re-targeting has occurred when a repeat call is
initiated.
Description
TECHNICAL FIELD
[0001] This invention relates generally to an efficient key
management system and method, and more particularly to a key
management system suitable for use in Session Initiation Protocol
(SIP).
BACKGROUND
[0002] Long gone are the days of telephone party lines, used in the
early days of telephone operations. Party lines made life
interesting. Numerous users of telephones in their homes could
selectively eaves drop on the conversations of others. Examples of
party line activity have been presented extensively in movies,
novels, and comedy skits, due to the unpredictable and undesirable
characteristics of shared communication. The telephone industry
worked hard to bring important improvements to telephone usage,
such as the private phone line. Privacy in communications has
become a highly valued concern of consumers. As communication has
expanded beyond the phone line and into the virtual world of the
Internet, a whole new set of complex problems are introduced in
trying to facilitate private communication in a cost effective
manner.
[0003] Private communication via network environments, such as the
Internet, can be difficult to achieve. Current efforts include
using, for example, Session Initiation Protocol (SIP) to
effectively exchange keys while providing desirable aspects of the
protocol, such as forking, re-targeting, request recursion, etc.
and reducing undesirable aspects, such as exchanging keys with
unintended parties, voice clipping, etc.
[0004] SIP is a rendezvous protocol for the Internet that was
published as an Internet Engineering Task Force (IETF) standard in
1999, and further revised in June 2002. SIP uses well-know
email-like identifiers to represent users, instead of using numeric
identifiers. SIP is a text-based request-response protocol. An SIP
environment includes user agents, proxy servers, redirect servers,
and registrars. SIP user agents provide software programs that
enable the rendezvous protocol when executed on a suitable
electronic device, such as a computer, Internet phone, personal
digital assistant (PDA), or any other suitable electronic device
for transmitting and receiving media over an Internet
connection.
[0005] Two types of SIP user agents are provided. The first type is
a user agent client (UAC), which originates requests, such as, for
example, a request to start a multimedia session. The second type
is a user agent server (UAS), which accepts and acts upon a request
from the UAC. Typically, a UAS will register with a registrar. Once
registered, the current IP address of the UAS is bound to an
email-like identifier. The email-like identifier is used to
identify the UAS. SIP proxy servers use the UAS email-like
identifier to route requests to a particular UAS from a UAC.
[0006] SIP proxy servers are intermediaries that provide critical
services for SIP sessions, such as routing, authentication, and
forking (creating a search tree in SIP). For example, a request to
establish a session or INVITE is routed to a downstream UAS via a
proxy server. The downstream UAS sends one or more provisional
responses to the INVITE followed by exactly one final response. The
responses traverse from the UAS to the UAC in reverse order over
the same proxy chain as the request. A session is established when
a UAC receives a final response from a UAS and sends out a new
request known as an ACK. The ACK and any subsequent requests can
flow directly from UAC to UAS, or vice versa, depending on the
policy of the proxy server. Some proxies may choose to stay in the
session such that all subsequent requests flow through them as
illustrated, for example, in FIG. 1, as discussed below. However,
media between UAC and UAS flows directly without being routed
through one or more SIP proxy servers, as illustrated in FIG. 1. In
other words, the SIP protocol is used to establish an initial
rendezvous, whereas a different media stream with a different
protocol is used for the exchange between UAC and UAS once the
rendezvous is established. Because the protocols are different,
providing security for the system as a whole is challenging.
[0007] Known key distribution protocols that attempt to address the
security challenge of the system include, for example, ZRTP and
DTLS-SRTP. DTLS-SRTP provides a reasonably strong security against
attackers, and uses public-key infrastructure (PKI) which is both
fiscally and computationally costly, ie several public key
operations are required. ZRTP is a complex key distribution
protocol with reasonable security. However, it is both expensive to
implement and has subtle vulnerabilities.
[0008] Thus, known keying protocols, public and private have
inherent drawbacks, such as cost and complexity, for SIP
sessions.
SUMMARY
[0009] A system for providing cost effective, secure key exchange
from at least one first device to at least one second device
through at least one proxy server is provided. The system includes
a first key exchange message from the at least one first device to
the at least one second device via the at least one proxy server. A
second key exchange message from the at least one second device to
the at least one first device via a media stream of the Internet is
required to complete the computation of the session key. A method
of securing a communication system is also set forth. The method
includes the steps of providing a routing device for identifying a
subscriber, and providing a master key exchange session, the master
key exchange session including a key k to find a subscriber and a
nonce r to answer a query to the subscriber, wherein the master key
exchange session includes both the key k and the nonce r.
DESCRIPTION OF THE DRAWINGS
[0010] Features of example implementations of the invention will
become apparent from the description, the claims, and the
accompanying drawings in which:
[0011] FIG. 1 is a background diagram for a session setup 100 using
SIP;
[0012] FIG. 2 is a diagram depicting an exemplary arrangement 200
of an advantageous key management system adapted for use in a
rendezvous protocol, such as the session setup 100 using SIP of
FIG. 1;
[0013] FIG. 3 is a block diagram depicting an exemplary arrangement
300 of a system constructed in accordance with the principles of
the present invention; and
[0014] FIG. 4 is a diagram depicting another exemplary arrangement
400 of a system constructed in accordance with the principles of
the present invention.
DETAILED DESCRIPTION
[0015] FIG. 1 is a background diagram for a session setup 100 using
SIP. The session setup 100 is the same for all keying protocols
adapted and constructed for SIP rendezvous protocol usage. The
setup 100 includes UAC 110, UAS 120, proxies P1 130, P2 140, and a
media stream (RTP) 150. Some proxies may choose to stay in the
session such that all subsequent requests flow through them as
illustrated, for example, by P2 140 in FIG. 1, where P2 receives
the ACK request from the UAC. However, media between UAC and UAS
flows directly along the RTP 150, without being routed through one
or more SIP proxy servers, as illustrated in FIG. 1. RTP poses
security issues. As a result Secure RTP, or SPTR has been developed
to provide confidentiality, message authentication, and replay
protection to the RTP traffic. Widespread use of SRTP in SIP has
been hindered due to ineffective keying protocols. In other words,
various keying protocols have been unable to negotiate security
contexts, ie., cryptographic keys and parameters, while preserving
important SIP features.
[0016] As illustrated in FIG. 2, an exemplary arrangement 200 of an
advantageous key management system adapted for use in a rendezvous
protocol, such as the session setup 100 using SIP of FIG. 1, that
provides a cost effective keying system, or protocol is provided.
The system employs a signaling layer 210, and a media layer 220. An
initiator A, or Alice operates a first terminal 230 and selects a
random key k 240 to send to B, or Bob via the signaling layer, here
via an SIP framework. The random key k 240 is not the session key.
Instead, Bob receives the random key k 240 and then chooses a
random nonce r 250. Bob then sends the random nonce r back, in
plaintext via a second terminal 260, to Alice together with the
media stream, or layer 220. A session key, or sk 270 is derived
from both k 240 and r 250. In other words, the session key, sk 270,
is divided between the signaling layer 210 and the media layer 220.
The sk 270 is used to immediately encrypt the media. Sk 270 is the
PRP F evaluated with k 240 on r 250. Sk 270 is defined by
sk=F.sub.k(r), where F is a pseudorandom function having a
determinable range and domain. For example, where F is chosen to be
an AES function, the domains of k and r can be k, r .epsilon.
{0,1}.sup.128. In accordance with the key management system
described herein, a reasonably high level of security is achieved
in a simple and cost-effective manner, since an adversary may
observe r but not k and will not be able to distinguish sk from a
random string of the same length, as Fk is a permutation that when
applied to a random input produces a random output. Similarly, an
SIP proxy could observe k, but does not have access to media
streams to observe r. Thus, even active adversaries succeed in only
limited scenarios.
[0017] Further, the system herein eliminates the need to employ PKI
infrastructure by adding layers without the complications and costs
of PKI. The system provides good security levels to ensure privacy
with minimal costs, reduces trust assumptions on the SIP servers,
and prevents instances of the second terminal 260 sharing the
session key due to forking. The system and method herein achieve
reasonable security at 1/100.sup.th of the cost of other keying
protocols, such as DTLS-SRPT.
[0018] Thus, a key management system and method that incorporates
multiple layers to produce a random session key via queries within
the layers provides a simple, cost-effective and highly secure key
management system in accordance with the principles herein.
Further, the system is suitable for use in SIP. An additional
advantage is achieved with this interactive key management system
in that forking does not occur in different instances of Bob
communicating with the same k, since a random r will be generated
each time Bob uses k. Further, Alice and Bob can establish a
long-term PSK to establish a more efficient and secure key exchange
in future sessions.
[0019] The general arrangement and functions of another exemplary
system 300 now be described with reference to FIG. 3. These
elements of exemplary system 300 are preferably interconnected, and
preferably function as in known networks, with exceptions and
enhancements noted herein. A system 300 includes a first terminal
310. User A employs a first terminal 310 to send a selected key k
320 via a signaling layer to a second terminal 330, and to other
alternate terminals 330a, 330b, 330c, . . . 330n having a routing
identifier known by A for B. B can respond to A using device 330n
by generating r 340 with 330n and transmitting r 340 to the first
terminal 310 via a media layer along with k 320 to produce a
session key sk 350. In this embodiment, B may select, for example,
an alternate device, such as alternate terminal 330n because it has
operating characteristics desired for the session with A, such as
video features, or any other feature desired that the B 330 device
may not have. Alternatively, the B 330 device may have been lost or
broken, in which case B may select Bn to facilitate the session due
to necessity.
[0020] In yet another exemplary embodiment illustrated in FIG. 4, A
can determine if B has forwarded his communications to an alternate
terminal C when a session key sk arrives by viewing the routing
identifier information from C for the session key sk. Specifically,
another exemplary arrangement 400 of a system constructed in
accordance with the principles of the present invention includes a
first terminal 410a or 410b. Specifically, a key k 420 is generated
by the first terminal 410a if a routing identifier for B is used,
and by 410b if a long-term PSK for B is used. K 420 is then
forwarded to a first proxy server P1 430 to look for B. P1 430 can
either find B directly, or continue to forward the query to at
least one additional proxy server, such as P2 440. Since B has
forwarded his routing identifier to C, k 420 is forwarded to C 450.
C now generates r 460, and transmits r 460 to A along a media layer
with k 420 to form sk 470. Sk 470 can contain the routing
identifier information transmitted with r, which can be used to
notify A that B has re-targeted his routing identifier to C 450.
This information provides yet another security layer for the
system.
[0021] An exemplary method of securing a communication system can
include the steps of providing a routing device for identifying a
subscriber; and providing a master key exchange session, the master
key exchange session including a key k to find a subscriber and a
nonce r to answer a query to the subscriber, wherein the master key
exchange session includes both the key k and the nonce r.
[0022] The method can be further defined wherein the key k is sent
over a SIP network.
[0023] The method can be even further defined wherein the nonce r
is sent by the subscriber over a media channel. The media channel
of the method can be an Internet media channel. In accordance with
the method, the system is further defined by sk=F.sub.k(r), where F
is a pseudorandom function. F can also be an AES function, wherein
the domains of k and r are defined by k, r .epsilon. {0,1}.sup.128.
An exemplary system having a secure session key can include a first
device for transmitting a random key k over an SIP framework; and a
second device for receiving the random key k, the second device
selecting a random nonce r and transmitting the random nonce r in
plaintext over a media layer to the first device.
[0024] Yet another system for generating a secure session key can
include a first communication device for generating a signaling key
packet; a second communication device for generating a media key
packet; and wherein the signaling key packet is sent to the second
communication device over a signaling layer and the media key
packet is sent to the first communication device over a media
layer.
[0025] The present application relates to an efficient key
management system and method, which may be implemented using a
variety of electronic and optical technologies, including but not
limited to: analog electronic systems; digital electronic systems;
microprocessors and other processing elements; and software and
otherwise embodied collections of steps, instructions, and the
like, for implementing methods, processes, or policies in
conjunction with such systems and processing elements. It will be
appreciated that in the telecommunications arts, various signal
leads, busses, data paths, data structures, channels, buffers,
message-passing interfaces, and other communications paths may be
used to implement a facility, structure, or method for conveying
information or signals, and are often functionally equivalent.
Accordingly, unless otherwise noted, references to apparatus or
data structures for conveying a signal or information are intended
to refer generally to all functionally equivalent apparatus and
data structures.
[0026] However, one of skill in the art will appreciate that the
teachings of the present application could be applied to other
types of wireless networks (perhaps with modifications within the
ken of a skilled artisan) without departing from the spirit of the
present invention.
[0027] Specifically, a novel system and method of key exchange with
minimal costs could be provided in a variety of communication
environments without departing from the spirit of the invention.
For instance, the steps may be performed in a differing order, or
steps may be added, deleted, or modified. Further, signaling and
media layers could be bound to an internal subscriber network
without departing from the principles described herein
[0028] The embodiments described herein are exemplary. Thus it will
be appreciated that although the embodiments are described in terms
of specific technologies, other equivalent technologies could be
used to implement systems in keeping with the spirit of the present
invention.
[0029] The method set forth herein can include computer readable
storage medium storing instructions which, when executed on a
programmed processor achieve the novel keying protocol.
[0030] Although example implementations of the invention have been
depicted and described in detail herein, it will be apparent to
those skilled in the relevant art that various modifications,
additions, substitutions, and the like can be made without
departing from the spirit of the invention and these are therefore
considered to be within the scope of the invention as defined in
the following claims.
* * * * *